Posted: Tue Jul 31, 2012 8:36 Post subject: No access to local resources when connected to VPN server
Hi everyone
I have a (basic) working Open VPN setup using my tp-link wr1043nd with DD-WRT firmware as server, but I also have one problem which have been bothering me since day one:
Once connected to my VPN server I cannot access local resources (for example administer my router via it's webinterface) and since my router is also my DNS server my name resolution goes right out the window.
Please find my serverconfig (from my DD WRT router) and client config (openvpn+openvpn gui) below.
Some more information / discussion:
My local LAN: 10.13.37.0 / 255.255.255.0
Remote LAN: 10.0.1.0 / 255.255.255.0
VPN server: 10.0.60.0 / 255.255.255.0
When _not_ connected to VPN:
From my local lan (with an ip of say 10.13.37.112)
I can access my local router via ip 10.13.37.1 and I can ping it
I can resolve names (i.e. asking the browser to open google.dk actually gives me the danish version of Google's search engine)
I can _not_ access 10.0.1.1 (which is the remote router / vpn server) via a webbrowser (for administration purposes) and I can _not_ ping it
I can _not_ use RDP to connect to computer 10.0.1.147 and I can _not_ ping it (ICMP enabled in firewall)
I can (still) use RDP to connect to computer 10.13.37.139 (which is the same computer as 10.0.1.147, just using a secondary nic) but I can _not_ ping it
I can use RDP to connect to computer 10.13.37.104 (which is a laptop, only connected to the local LAN)
When connected to VPN:
From my local lan (with an ip of say 10.13.37.112)
I can _not_ access my local router via ip 10.13.37.1 and I can _not_ ping it
I can _not_ resolve names (i.e. asking the browser to open google.dk fails during the look up stage), but I can still access remote services (e.g. a website) using it's ip address. So Google's search engine can now be found at 74.125.143.94.
I can access 10.0.1.1 (which is the remote router / vpn server) via a webbrowser (for administration purposes) and I can ping it
I can use RDP to connect to computer 10.0.1.147 but I can _not_ ping it (ICMP enabled in firewall)
I can use RDP to connect to computer 10.13.37.139 (which is the same computer as 10.0.1.147, just using a secondary nic) but I can _not_ ping it
I can _not_ use RDP to connect to computer 10.13.37.104 (which is a laptop, only connected to the local LAN)
I think the above experiences are do to the fact that all traffic is going through the VPN tunnel. This fits the above because:
EDIT: corrected 1)
1) Ping (ICMP) works on layer 3, so it should work on routed VPN. See bottom of post for original 1). Why pings do not work I do not know.
2) RDP to the local-LAN-only laptop stops working because the traffic goes through the VPN to the remote lan and it does not go back again
3) RDP to 10.13.37.139 (which is also available via VPN on ip 10.0.1.147, remember it has two nics, one for each LAN) somehow still works due to the two NICs (for reasons unknown to me)
4) Name resolution (which is the same as access to my local router 10.13.37.1) stops working for the same reson as 2). The traffic goes over the VPN and does not come back.
I how ever have NO idea WHAT SO EVER as how to fix it. I read a little about split-tunneling which should allow local traffic to go out on the local network (i.e. dns, http request for browsing etc) and only traffic for remote services to go over the VPN, but I have not succeeded in configuring it.
client
dev tun
proto udp
remote xxx.yyy.dk 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert jonas.crt
key jonas.key
ns-cert-type server
cipher BF-CBC
verb 3
auth SHA256
Edit: Original 1)
1) ping requests (which works on layer 2) are not forwarded over routed vpn (which works on layer 3) so that's why pinging is not working
Last edited by wuhtzu on Tue Jul 31, 2012 8:56; edited 2 times in total
1) ping requests (which works on layer 2) are not forwarded over routed vpn (which works on layer 3) so that's why pinging is not working
-argument. Ping (ICMP) works on layer 3 and hence should be able to go across the tunnel. I was thinking about wol packages (which do go on layer 2 and will not work on routed vpn). I will try to edit it in the original post also.
Your local LAN traffic should work regardless of the VPN, as it is not routed.
Does each device on your network have this same issue?
RDP to connect to computer 10.13.37.104
This is a local LAN, so local traffic is working,
Computer 10.0.1.147/10.13.37.139 which is it's default gateway - Windows gets 'mad' and very confused with two different default gateways.
I know I am still fairly new to OpenVPN, but how is your 2nd computer, behind your router on your local LAN, also have an IP on a 2nd NIC, on the remote network?
Your local LAN traffic should work regardless of the VPN, as it is not routed.
Does each device on your network have this same issue?
Yes, every device which is connected to my local network only. They all loose access to local resources, most irritably the DNS server (local router 10.13.37.1).
Something (presumably the OS) must take a decision about which network adapter it sends it's traffic out through. Maybe it makes the decision based on the ip. "oh, traffic for 10.13.37.104, let me send that through the adapter with a 10.13.37.x ip" and similar for the VPN "oh, traffic for 10.0.1.147, let me send that through the adapter with a 10.0.1.x ip". If that is the case then I guess this mechanism fails.
kevinds wrote:
RDP to connect to computer 10.13.37.104
This is a local LAN, so local traffic is working,
Yes, this is local network (on the 10.13.37.0 network). And it is _not_ working when VPN is connected. See 6. under "When connected to VPN:". When VPN is connected local RDP is only working to the 10.13.37.139/10.0.1.147 machine (with two nics). Not the machines only connected to local network.
kevinds wrote:
Computer 10.0.1.147/10.13.37.139 which is it's default gateway - Windows gets 'mad' and very confused with two different default gateways.
Well both NICs have a default gateway and it can ping both gateways. Which one Windows uses I think is up to it's position on the "Connections" list (Network Connections -> (Press 'Alt'-key) -> Advanced Settings -> Adapters and Bindings-tab. On that Window it reads "Connections are listed in the order in which they are accessed by network services".
Right now Local Area Connection 2 (10.0.1.0 network) has highest priority.
Please note however, that I have no issues with this machine. It does not interact with the VPN server other then being on the same local network as the one the VPN routes connections to.
I know I am still fairly new to OpenVPN, but how is your 2nd computer, behind your router on your local LAN, also have an IP on a 2nd NIC, on the remote network?
I'm not sure which machine you are referring to by "2nd computer", but this is my setup:
I have two internet connections:
Inet A (Public IP a.a.a.a) which is a fiber connection via my university (fast, but only outgoign traffic due to a firewall)
Inet B (Public IP b.b.b.b) an ADSL connection via a random telecommunications company (slower, but no firewall).
I have two networks
LAN A (10.13.37.0): Handled by Router A and connected to Inet A
LAN B (10.0.1.0): Handled by Router B and connected to Inet B (this is the 'remote' network in my first post/question).
Computer 10.13.37.112 is my desktop computer only connected to LAN A.
Computer 10.0.1.147/10.13.37.139 is simply connected to both LAN A and LAN B. Hence it is accessible via the two IP addresses.
So the answer to your question is probably that both the local network and remote network are in the same physical location. So the machine I think you refer to by "2nd" is simply connected to both networks
Okay, so I got some new information regarding this issue.
When I am actually on a 3rd party network (neither the 10.13.37.0 nor the 10.0.1.0 which are both in my apartment) I can connect to my VPN server (located on the 10.0.1.0 network) and still access local resources (the dns server for example).
So to be concrete I was at my parents house (a 10.0.0.0/255.255.255.0 network behind an ADSL connection with a public IP) and when I connect to my VPN server (my tap device gets ip 10.0.60.2, and my normal nic have ip 10.0.0.x) I can access both my 10.0.1.1 network and local resources on my parents 10.0.0.0 network. This inclucdes the DNS server (10.0.0.1) and other computers on their network.
Does this give any more hints as to what my problem might be?
I have noticed the following warning in my openvpn (client) log:
Code:
Mon Aug 13 15:19:07 2012 WARNING: potential route subnet conflict between local LAN [10.13.37.0/255.255.255.0] and remote VPN [10.13.37.0/255.255.255.0]
This makes no sense to me since I know for a fact that the network housing the VPN server is a 10.0.1.0 network and that the local network, which my client is on, is a 10.13.37.0 network.
So after trying to push some different routes from the VPN server (and obviously sticking to one of the configs) everything now works perfectly. While connected to the VPN server I can also access local resources such as my DNS server.
So right now I only have one push command:
Code:
push "route 10.0.1.0 255.255.255.0"
The push command which seem to have caused trouble is:
Code:
push "route 10.13.37.0 255.255.255.0"
This turned into the following route command on my Windows machine:
which is obviously not good since trafic to the 10.13.37.0 network is being routed to the VPN server/gateway/network (I don't really know what 10.0.60.1 is. 10.0.60.0 is the network I have specified on the ddwrt vpn config page though...) and this killed my access to my dns server among other things.
So do to my lack of knowledge about routing/routes I just assumed that the vpn server needed to push both a "route 10.0.1.0 255.255.255.0" and "route 10.13.37.0 255.255.255.0" command in order to connect the 10.0.1.0 network and the 10.13.37.0 network. I was obviously wrong?
Would anyone care to comment if I have finally understood things correctly?
